build(deps): bump the npm-root group with 10 updates

[dependabot]

Bumps the npm-root group with 10 updates:

Package	From	To
sass	1.98.0	1.99.0
@antfu/eslint-config	7.7.3	8.0.0
@tauri-apps/plugin-updater	2.10.0	2.10.1
@types/node	25.5.0	25.5.2
eslint	10.1.0	10.2.0
fast-glob	3.3.1	3.3.3
picomatch	2.3.2	4.0.4
@types/picomatch	4.0.2	4.0.3
turbo	2.9.3	2.9.4
zod	3.25.76	4.3.6

Updates sass from 1.98.0 to 1.99.0

Release notes

Sourced from sass's releases.

Dart Sass 1.99.0

To install Sass 1.99.0, download one of the packages below and add it to your PATH, or see the Sass website for full installation instructions.

Changes

• Add support for parent selectors (&) at the root of the document. These are emitted as-is in the CSS output, where they're interpreted as the scoping root.

• User-defined functions named calc or clamp are no longer forbidden. If such a function exists without a namespace in the current module, it will be used instead of the built-in calc() or clamp() function.

• User-defined functions whose names begin with - and end with -expression, -url, -and, -or, or -not are no longer forbidden. These were originally intended to match vendor prefixes, but in practice no vendor prefixes for these functions ever existed in real browsers.

• User-defined functions named EXPRESSION, URL, and ELEMENT, those that begin with - and end with -ELEMENT, as well as the same names with some lowercase letters are now deprecated, These are names conflict with plain CSS functions that have special syntax.

  See the Sass website for details.

• In a future release, calls to functions whose names begin with - and end with -expression and -url will no longer have special parsing. For now, these calls are deprecated if their behavior will change in the future.

  See the Sass website for details.

• Calls to functions whose names begin with - and end with -progid:... are deprecated.

  See the Sass website for details.

See the full changelog for changes in earlier releases.

Changelog

Sourced from sass's changelog.

1.99.0

• Add support for parent selectors (&) at the root of the document. These are emitted as-is in the CSS output, where they're interpreted as the scoping root.

• User-defined functions named calc or clamp are no longer forbidden. If such a function exists without a namespace in the current module, it will be used instead of the built-in calc() or clamp() function.

• User-defined functions whose names begin with - and end with -expression, -url, -and, -or, or -not are no longer forbidden. These were originally intended to match vendor prefixes, but in practice no vendor prefixes for these functions ever existed in real browsers.

• User-defined functions named EXPRESSION, URL, and ELEMENT, those that begin with - and end with -ELEMENT, as well as the same names with some lowercase letters are now deprecated, These are names conflict with plain CSS functions that have special syntax.

  See the Sass website for details.

• In a future release, calls to functions whose names begin with - and end with -expression and -url will no longer have special parsing. For now, these calls are deprecated if their behavior will change in the future.

  See the Sass website for details.

• Calls to functions whose names begin with - and end with -progid:... are deprecated.

  See the Sass website for details.

Commits

• 83c39fe Support the top-level parent selector (#2758)
• ec85871 Bump EndBug/add-and-commit from 9 to 10 (#2756)
• a604acd [Function Name] Implement changes (#2731)
• See full diff in compare view

Updates @antfu/eslint-config from 7.7.3 to 8.0.0

Release notes

Sourced from @​antfu/eslint-config's releases.

v8.0.0

   🚨 Breaking Changes

• react: Update eslint react to 3.0  -  by @​hyoban in antfu/eslint-config#832 (83c1d)

   🚀 Features

• Update plugins  -  by @​antfu (ad998)

    View changes on GitHub

Commits

• a1e7fa4 chore: release v8.0.0
• ad99814 feat: update plugins
• 83c1d11 feat(react)!: update eslint react to 3.0 (#832)
• 54241c1 chore: update snapshot
• See full diff in compare view

Updates @tauri-apps/plugin-updater from 2.10.0 to 2.10.1

Release notes

Sourced from @​tauri-apps/plugin-updater's releases.

updater-js v2.10.1

[2.10.1]

• 31ab6f8d (#3285 by @​hrzlgnm) fix: preserve file extension of updater package, otherwise users may get confused when presented with a sudo dialog suggesting to install a file with the extension .rpm using dpkg -i

npm warn Unknown user config "always-auth". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm warn publish npm auto-corrected some errors in your package.json when publishing.  Please run "npm pkg fix" to address these errors.
npm warn publish errors corrected:
npm warn publish "repository" was changed from a string to an object
npm warn publish "repository.url" was normalized to "git+https://github.com/tauri-apps/plugins-workspace.git"
npm notice
npm notice 📦  @tauri-apps/plugin-updater@2.10.1
npm notice Tarball Contents
npm notice 888B LICENSE.spdx
npm notice 3.1kB README.md
npm notice 2.6kB dist-js/index.cjs
npm notice 2.3kB dist-js/index.d.ts
npm notice 2.6kB dist-js/index.js
npm notice 659B package.json
npm notice Tarball Details
npm notice name: @tauri-apps/plugin-updater
npm notice version: 2.10.1
npm notice filename: tauri-apps-plugin-updater-2.10.1.tgz
npm notice package size: 3.7 kB
npm notice unpacked size: 12.1 kB
npm notice shasum: ea0efd766890394b6c719b9fc21de7da0029c69c
npm notice integrity: sha512-NFYMg+tWOZPJd[...]Y1WVCNHnh3eRA==
npm notice total files: 6
npm notice
npm notice Publishing to https://registry.npmjs.org/ with tag latest and public access
npm notice publish Signed provenance statement with source and build information from GitHub Actions
npm notice publish Provenance statement published to transparency log: https://search.sigstore.dev/?logIndex=1235993797
+ @tauri-apps/plugin-updater@2.10.1

updater v2.10.1

[2.10.1]

• 31ab6f8d (#3285 by @​hrzlgnm) fix: preserve file extension of updater package, otherwise users may get confused when presented with a sudo dialog suggesting to install a file with the extension .rpm using dpkg -i

</tr></table> 

... (truncated)

Commits

• d6a3898 Publish New Versions (v2) (#3268)
• 2e5bcdf chore(deps): fix audits (#3373)
• 4374b4f chore(notification): remove unused dev-deps (#3372)
• f75d21d chore(deps): remove used of tauri-utils build feature (#3360)
• 4b95f5e chore(deps): update dependency eslint to v10.1.0 (#3357)
• 99c3e37 chore(deps): bump tar in /plugins/updater/tests/updater-migration/v1-app (#3352)
• eaac19a chore(deps): update rust crate tar to v0.4.45 [security] (#3353)
• 5183e31 chore(deps): update dependency typescript-eslint to v8.57.1 (#3344)
• 2c0883e chore(deps): update dependency vite to v8 (#3346)
• 024ec0c fix(deep-link): ChromeOS deep link calls filtered and ignored by plugin (fix ...
• Additional commits viewable in compare view

Updates @types/node from 25.5.0 to 25.5.2

Commits

• See full diff in compare view

Updates eslint from 10.1.0 to 10.2.0

Release notes

Sourced from eslint's releases.

v10.2.0

Features

• 586ec2f feat: Add meta.languages support to rules (#20571) (Copilot)
• 14207de feat: add Temporal to no-obj-calls (#20675) (Pixel998)
• bbb2c93 feat: add Temporal to ES2026 globals (#20672) (Pixel998)

Bug Fixes

• 542cb3e fix: update first-party dependencies (#20714) (Francesco Trotta)

Documentation

• a2af743 docs: add language to configuration objects (#20712) (Francesco Trotta)
• 845f23f docs: Update README (GitHub Actions Bot)
• 5fbcf59 docs: remove sourceType from ts playground link (#20477) (Tanuj Kanti)
• 8702a47 docs: Update README (GitHub Actions Bot)
• ddeaded docs: Update README (GitHub Actions Bot)
• 2b44966 docs: add Major Releases section to Manage Releases (#20269) (Milos Djermanovic)
• eab65c7 docs: update eslint versions in examples (#20664) (루밀LuMir)
• 3e4a299 docs: update ESM Dependencies policies with note for own-usage packages (#20660) (Milos Djermanovic)

Chores

• 8120e30 refactor: extract no unmodified loop condition (#20679) (kuldeep kumar)
• 46e8469 chore: update dependency markdownlint-cli2 to ^0.22.0 (#20697) (renovate[bot])
• 01ed3aa test: add unit tests for unicode utilities (#20622) (Manish chaudhary)
• 811f493 ci: remove --legacy-peer-deps from types integration tests (#20667) (Milos Djermanovic)
• 6b86fcf chore: update dependency npm-run-all2 to v8 (#20663) (renovate[bot])
• 632c4f8 chore: add prettier update commit to .git-blame-ignore-revs (#20662) (루밀LuMir)
• b0b0f21 chore: update dependency eslint-plugin-regexp to ^3.1.0 (#20659) (Milos Djermanovic)
• 228a2dd chore: update dependency eslint-plugin-eslint-plugin to ^7.3.2 (#20661) (Milos Djermanovic)
• 3ab4d7e test: Add tests for eslintrc-style keys (#20645) (kuldeep kumar)

Commits

• 000128c 10.2.0
• 1988fad Build: changelog update for 10.2.0
• 542cb3e fix: update first-party dependencies (#20714)
• a2af743 docs: add language to configuration objects (#20712)
• 845f23f docs: Update README
• 5fbcf59 docs: remove sourceType from ts playground link (#20477)
• 8702a47 docs: Update README
• ddeaded docs: Update README
• 8120e30 refactor: extract no unmodified loop condition (#20679)
• 46e8469 chore: update dependency markdownlint-cli2 to ^0.22.0 (#20697)
• Additional commits viewable in compare view

Updates fast-glob from 3.3.1 to 3.3.3

Release notes

Sourced from fast-glob's releases.

3.3.3

Full Changelog: mrmlnc/fast-glob@3.3.2...3.3.3

💬 Common

• Refer to micromatch@4.0.8 to avoid annoying npm audit spam (#443, #444, #454, #456, #457, #461)

🐛 Bug fixes

• Apply absolute negative patterns to full path instead of file path (#441, thanks @​webpro)

3.3.2

Full Changelog: mrmlnc/fast-glob@3.3.1...3.3.2

🐛 Bug fixes

• Handle square brackets as a special character on Windows in escape functions (#425)
• Keep escaping after brace expansion (#422)

Commits

• 4868789 3.3.3
• 73be367 Merge pull request #464 from mrmlnc/3.3.3
• 55c7b33 perf: optimizing the patterns set matching by exiting early
• ea113fd docs: add information about enumerable properties for the fs option
• 41e4730 fix: apply absolute negative patterns to full path instead of file path
• 54ad12d build: fix watch command
• 7410547 chore: refer to micromatch@4.0.8 to avoid annoying npm audit spam
• ca61085 build: freeze fdir dependency to avoid tsc issues
• e60a9f5 3.3.2
• 8638dc6 fix: escape square braces on Windows platform
• Additional commits viewable in compare view

Updates picomatch from 2.3.2 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

4.0.3

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144

New Contributors

• @​Jason3S made their first contribution in micromatch/picomatch#144

Full Changelog: micromatch/picomatch@4.0.2...4.0.3

3.0.2

This is a security release fixing several security relevant issues.

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144
• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@3.0.1...3.0.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

• Fix bad text values in parse #126, thanks to @​connor4312

Changed

• Remove process global to work outside of node #129, thanks to @​styfle
• Add sideEffects to package.json #128, thanks to @​frandiox
• Removed os, make compatible browser environment. See #124, thanks to @​gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

• e5474fc Publish 4.0.4
• 4516eb5 Merge commit from fork
• 5eceecd Merge commit from fork
• 0db7dd7 Run benchmark again against latest minimatch version (#161)
• 9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
• 2661f23 fix typo in globstars.js test name (#138)
• 1798b07 docs: fix makeRe example (#143)
• 9d76bc5 chore: undocument removed options (#146)
• e4d718b Remove unused time-require (#160)
• 38dffeb chore(deps): pin dependencies (#158)
• Additional commits viewable in compare view

Updates @types/picomatch from 4.0.2 to 4.0.3

Commits

• See full diff in compare view

Updates turbo from 2.9.3 to 2.9.4

Release notes

Sourced from turbo's releases.

Turborepo v2.9.4

What's Changed

@​turbo/codemod

• fix: Always update $schema URL to versioned format during migration by @​anthonyshew in vercel/turborepo#12529
• fix: Support turbo.jsonc in codemod transforms by @​anthonyshew in vercel/turborepo#12532
• fix: Preserve prerelease info in schema URL during codemod migration by @​anthonyshew in vercel/turborepo#12542

Examples

• build(deps): Bump @​xmldom/xmldom from 0.8.11 to 0.8.12 in /examples/with-react-native-web by @​dependabot[bot] in vercel/turborepo#12537

Changelog

• feat: Add incremental task caching by @​anthonyshew in vercel/turborepo#12531
• docs: Send siteId as label on feedback GitHub issues by @​molebox in vercel/turborepo#12527
• Replace local ai-agent-detection with @​vercel/agent-readability by @​molebox in vercel/turborepo#12528
• fix: Prevent filterUsingTasks --filter from pulling dependents into Task Graph by @​anthonyshew in vercel/turborepo#12535
• fix: Only enforce signature key length for keys that exist by @​anthonyshew in vercel/turborepo#12538
• fix: Validate engine concurrency after task-level filtering by @​anthonyshew in vercel/turborepo#12540
• feat: Allow --affected and --filter to be combined by @​anthonyshew in vercel/turborepo#12543
• fix(config): Deep-merge nested OTEL config across priority sources by @​bitttttten in vercel/turborepo#12513
• fix: Retain microfrontend proxy tasks when using filterUsingTasks by @​anthonyshew in vercel/turborepo#12545
• fix: Bun workspace lockfile pruning producing invalid output by @​JRoy in vercel/turborepo#12548
• fix: Respect dirty .gitignore patterns during task input hashing by @​anthonyshew in vercel/turborepo#12557

New Contributors

• @​JRoy made their first contribution in vercel/turborepo#12548

Full Changelog: vercel/turborepo@v2.9.3...v2.9.4

Turborepo v2.9.4-canary.8

What's Changed

Changelog

• fix: Bun workspace lockfile pruning producing invalid output by @​JRoy in vercel/turborepo#12548

New Contributors

• @​JRoy made their first contribution in vercel/turborepo#12548

Full Changelog: vercel/turborepo@v2.9.4-canary.7...v2.9.4-canary.8

Turborepo v2.9.4-canary.7

What's Changed

Changelog

• fix(config): Deep-merge nested OTEL config across priority sources by @​bitttttten in vercel/turborepo#12513
• fix: Retain microfrontend proxy tasks when using filterUsingTasks by @​anthonyshew in vercel/turborepo#12545

Full Changelog: vercel/turborepo@v2.9.4-canary.6...v2.9.4-canary.7

... (truncated)

Commits

• 5f7a52c publish 2.9.4 to registry
• 01802b4 release(turborepo): 2.9.4-canary.8 (#12558)
• 1254916 fix: Respect dirty .gitignore patterns during task input hashing (#12557)
• 0346076 fix: Bun workspace lockfile pruning producing invalid output (#12548)
• b7d89a4 release(turborepo): 2.9.4-canary.7 (#12546)
• a4b943e fix: Retain microfrontend proxy tasks when using filterUsingTasks (#12545)
• 0e763f8 release(turborepo): 2.9.4-canary.6 (#12544)
• f214dc8 fix(config): Deep-merge nested OTEL config across priority sources (#12513)
• 98ab3b6 feat: Allow --affected and --filter to be combined (#12543)
• 81b39a5 fix: Preserve prerelease info in schema URL during codemod migration (#12542)
• Additional commits viewable in compare view

Updates zod from 3.25.76 to 4.3.6

Release notes

Sourced from zod's releases.

v4.3.6

Commits:

• 9977fb0868432461de265a773319e80a90ba3e37 Add brand.dev to sponsors
• f4b7bae3468f6188b8f004e007d722148fc91d77 Update pullfrog.yml (#5634)
• 251d7163a0ac7740fee741428d913e3c55702ace Clean up workflow_call
• edd4132466da0f5065a8e051b599d01fdd1081d8 fix: add missing User-agent to robots.txt and allow all (#5646)
• 85db85e9091d0706910d60c7eb2e9c181edd87bd fix: typo in codec.test.ts file (#5628)
• cbf77bb12bdfda2e054818e79001f5cb3798ce76 Avoid non null assertion (#5638)
• dfbbf1c1ae0c224b8131d80ddf0a264262144086 Avoid re-exported star modules (#5656)
• 762e911e5773f949452fd6dd4e360f2362110e8e Generalize numeric key handling
• ca3c8629c0c2715571f70b44c2433cad3db7fe4e v4.3.6

v4.3.5

Commits:

• 21afffdb42ccab554036312e33fed0ea3cb8f982 [Docs] Update migration guide docs for deprecation of message (#5595)
• e36743e513aadb307b29949a80d6eb0dcc8fc278 Improve mini treeshaking
• 0cdc0b8597999fd9ca99767b912c1e82c1ff2d6c 4.3.5

v4.3.4

Commits:

• 1a8bea3b474eada6f219c163d0d3ad09fadabe72 Add integration tests
• e01cd02b2f23d7e9078d3813830b146f8a2258b4 Support patternProperties for looserecord (#5592)
• 089e5fbb0f58ce96d2c4fb34cd91724c78df4af5 Improve looseRecord docs
• decef9c418d9a598c3f1bada06891ba5d922c5cd Fix lint
• 9443aab00d44d5d5f4a7eada65fc0fc851781042 Drop iso time in fromJSONSchema
• 66bda7491a1b9eab83bdeec0c12f4efc7290bd48 Remove .refine() from ZodMiniType
• b4ab94ca608cd5b581bfc12b20dd8d95b35b3009 4.3.4

v4.3.3

Commits:

• f3b2151959d215d405f54dff3c7ab3bf1fd887ca v4.3.3

v4.3.2

Commits:

• bf96635d243118de6e4f260077aa137453790bf6 Loosen strictObjectinside intersection (#5587)
• f71dc0182ab0f0f9a6be6295b07faca269e10179 Remove Juno (#5590)
• 0f41e5a12a43e6913c9dcb501b2b5136ea86500d 4.3.2

v4.3.1

Commits:

• 0fe88407a4149c907929b757dc6618d8afe998fc allow non-overwriting extends with refinements. 4.3.1

v4.3.0

This is Zod's biggest release since 4.0. It addresses several of Zod's longest-standing feature requests.

... (truncated)

Commits

• ca3c862 v4.3.6
• 762e911 Generalize numeric key handling
• dfbbf1c Avoid re-exported star modules (#5656)
• cbf77bb Avoid non null assertion (#5638)
• 85db85e fix: typo in codec.test.ts file (#5628)
• edd4132 fix: add missing User-agent to robots.txt and allow all (#5646)
• 251d716 Clean up workflow_call
• f4b7bae Update pullfrog.yml (#5634)
• 9977fb0 Add brand.dev to sponsors
• 0cdc0b8 4.3.5
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies, javascript. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.